Passphrases and breached passwords
Passphrases are great and we encourage everyone to consider a passphrase-based password policy when implementing our nFront Password Filter product. However, I wanted to raise awareness around passphrases. Though you may have adopted a passphrase policy, it is still a great idea to check against breached passwords and to consider a dictionary blacklist to keep certain words or phrases off limits.
It is easy to assume that a password over 15 characters is pretty secure, especially if it has 2 or 3 spaces mixed in. This seems reasonable. However, when we introduce the human element, things change. Humans are predictable and like patterns.
I used our command line tool to check some phrases related to movie quotes against the HIBP database of breached passwords. The results may surprise you. I assembled some phrases based on various movie quote websites. I then tested those phrases against HIBP. Our password filter system and command line tool can check a password against the database in less than 60 milliseconds if you have downloaded the local file. We can also check against the HIBP API. It usually returns results in a 1/2 second or less.
Below are some examples of using our command line tool (npf-checkHash.exe).

Here is a more comprehensive list.

If I told you my password has 25 characters and 5 spaces, you would naturally assume it is pretty secure. However, if my password is “may the force be with you,” it has been breached and should be disallowed on corporate networks.
Of course, no password policy is perfect and we can poke holes in nearly any policy. However, it is important to recognize that not all long passwords with spaces are secure.
You can take some actions to combat this. The easiest thing you can do is use nFront Password Filter and configure it to check passwords against the HIBP API.
You can also use a custom dictionary blacklist to block passphrases as well as common dictionary words. We always recommend using our dictionary feature and customizing it with terms like your company name, product names, terms specific to your industry, prior “default” passwords, the names of local restaurants, sports teams, mascots, etc.
Customizing the dictionary blacklist is as simple as editing the file in Notepad of your favorite text editor. It is Unicode and supports all printable characters in the world so multi-language support is not a problem.
Another great suggestion we picked up from a customer, is to put your “example” passphrases in the dictionary. In our customer’s case, they had sent communication about passphrases and provided 3 example passphrases to the users. If you have provided such examples, it is likely a user may just adopt your example passphrase so you want to block it with the dictionary. For instance, you don’t want to tell them that “correct horse battery staple” is a good passphrase, only to find that 12 of your 500 users have selected that as their password. BTW “correct horse battery staple” is a breached password/passphrase.
It is a wild world out there in Cybersecurity. Stay safe!